Privacy on Edge

iWatch News

Google street view car in Varberg, Sweden

Perhaps you’ve seen them trundling past your house—those ruby-red Google Street View compact cars, with a tripod camera mounted on the roof. They have cruised through almost every major town in the developed world, photographing each house and posting the pictures on Google Maps.

But one year ago, following the German government’s demand for more information, Google representatives were forced to admit that the cars were gathering more than harmless pictures; they were systematically gathering data on anyone using a nearby, unsecured Wi-Fi network. If you were within range and surfing the Web without a password, Google took a little electronic snapshot of whatever you were doing.

Outraged governments began to move. Officials in Germany, Spain, France, and other countries demanded to see the data Google had collected on their citizens.

After reviewing the information, the Canadian Privacy Commission declared that Google had broken the law thousands of times. “The personal information collected included complete emails, passwords, and a list of people who suffered from very specific medical conditions, along with their phone numbers,” says Commission spokeswoman Anne-Marie Hayden. “We estimate that thousands of Canadians were affected.”

French officials recently fined Google €100,000 ($142,000), adding that the company had actually made use of the data. South Korean police even raided Google’s Seoul offices last year.

But here in the United States, the Obama administration has barely taken notice.

Federal regulators and Justice Department officials have either ignored the incident or conducted cursory investigations that privacy advocates and members of Congress have openly complained about.

And some critics wonder if President Barack Obama’s personal ties to Eric Schmidt, who served as Google’s CEO until January, may have something to do with it. Google representatives declined repeated requests for comments.

The company has claimed in numerous blog posts that one of its engineers accidentally included a snippet of code in the Street View Cars, and that Google never had any intention of stealing private Internet data. “Quite simply, it was a mistake,” wrote Google Vice President Alan Eustace when the scandal first broke.

Privacy expert Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, says he doubts that Google deliberately set out to collect this data.

“No one can honestly believe that,” Dempsey says. “The notion that driving a car down the street is an efficient way to collect information—I’m sorry, I just don’t buy it … The secondary content they collected was not only unintentional, but worthless. It’s just random data.”

And apparently, this explanation has been good enough for the feds. Because even though Google has admitted to spying on perhaps hundreds of thousands of Americans, the U.S. government’s response has been so muted that privacy advocates have resorted to elaborate pranks to embarrass officials into acting.

Take the Federal Trade Commission. The FTC opened an investigation shortly after the Wi-spying affair was made public in May 2010, but closed it almost as quickly in October, citing Google’s “assurances to the FTC that the company has not used and will not use any of the payload data collected,” and a company pledge to make “improvements to its internal processes.” Google promised not to do it again, and the FTC was satisfied.

The Electronic Privacy Information Center (EPIC), a Washington, D.C.-based privacy advocacy group, wasn’t quite as satisfied. EPIC officials submitted a Freedom of Information Act request and received internal FTC emails about the Google probe that suggest government lawyers treated this as a trivial affair almost from the beginning. One senior FTC attorney complained in an email that the Wi-spying investigation “wasted my summer,” and hoped that a congressional briefing on the subject “won’t be too much of a time suck.”

Activists with Consumer Watchdog, a Los Angeles-based consumer advocacy group, decided that Congress needed a lesson in just how serious this violation may have been. Security experts drove by the Washington homes of members of Congress whose homes appear on Google Street View, and used the same software employed by Google to check if the search engine could have stolen data from their Wi-Fi networks.

The watchdog group found open Wi-Fi networks near the homes of Democratic Reps. Henry Waxman, Edward Markey, John Dingell, and then-Rep. Rick Boucher. Two unsecured Wi-Fi networks clearly belonged to Democrat Jane Harman, who then chaired the Intelligence Subcommittee of the House Homeland Security Committee. Google could have secretly recorded sensitive emails about U.S. homeland security, the group said. All five Democrats declined to comment for this story.

According to John Simpson, who investigates Google for Consumer Watchdog, such theatrics are critical. Unless the federal government holds the search giant accountable at times like this, he says, Google will keep trying to see what else it can learn about consumers. He sees it as part of the company’s DNA.

“I think they deliberately set out to gather the data,” Simpson says. “At least the people who created the project set out to gather the maximum amount of data. That stems from the engineering mindset, that you should always gather as much data as you can, because you never know what you can do with it.”

As a result of this and a formal complaint by EPIC, the Federal Communications Commission in November acknowledged it had opened an investigation. But as the months have dragged on, members of Congress have lost patience with the FCC.

In February, Democratic Rep. John Barrow of Georgia and Republican Rep. Mike Rogers of Michigan sent a letter to FCC Chairman Julius Genachowski, complaining that the FTC walked away without asking any serious questions and requesting that the FCC do a more thorough job than its counterpart.

“Nine months after Google first admitted to collecting this data, we still don’t have answers as to how this privacy breach was allowed to take place and how many Americans were affected, let alone a credible assurance that it will not happen again,” the congressmen wrote. “The lack of progress in this investigation is concerning.” Neither lawmaker responded to requests for additional comments.

And on March 30, an exasperated Rep. Tom Graves, a Georgia Republican, grilled Genachowski on the status of the FCC’s probe during an appropriations subcommittee hearing. “There could be almost 62 million emails picked up, but you don’t know when you will be able to tell us about all this?” Graves asked, according to The Hill . “Would you consider this eavesdropping?”

“I apologize. I want to answer, but we cannot comment,” Genachowski replied.

“What do you think the response would be by the American people if the federal government drove around and took pictures of neighborhoods and while doing that picked up private unencrypted Wi-Fi messages of Americans?” Graves later added. “Do you think the American people would be mad?”

“Yes, I think they would be mad,” said Genachowski.

Google patent application

With the feds so seemingly languid, it has fallen to state governments and trial lawyers to investigate Google. And their experience shows that unless a national government takes a serious interest in the case, Google will go to considerable lengths to keep the details of its privacy violations—well, private.

At first, Google’s Eric Schmidt was cavalier about the whole thing. “Who was harmed? Name the person,” he said from the podium of Google’s Zeitgeist conference in Great Britain, just four days after the Wi-spying scandal broke on May 14, 2010.

Schmidt soon found that plenty of people were eager to take him up on that challenge, as France, Germany, and Spain demanded to see the data Google had swiped from their citizens. After hemming and hawing for a few days, the company handed over the information to those countries.

According to Christian Schroeder, a German lawyer who specializes in data protection and Internet security, European governments take a much harder line on privacy issues, and their citizens are not at all inclined to simply take Google’s good intentions on faith. “Data privacy has become really a topic in the German public for two or three years,” he says. “And when a major multinational corporation like Google gathers such data that goes into their personal lives,that raised a lot of fears among the German public.”

It’s been a decidedly different story in the United States.

When Connecticut Attorney General Richard Blumenthal investigated on behalf of 39 other states and requested to see the same data, Google refused to provide what it had given every other government that had asked until then.

Blumenthal, a Democrat, issued a civil investigative demand for the data, noting in a press release his frustration with Google’s lack of cooperation. “Reviewing this information is vital because Google’s story changed, first claiming only fragments were collected, then acknowledging entire emails,” wrote Blumenthal. “We will fight to compel Google to come clean.”

Seven weeks later, Blumenthal left to take a seat in the U.S. Senate. His successor, George Jepsen, agreed to drop the demand for data, signed a stipulation that simply acknowledges that the company recorded a lot of private data, and said he would hold settlement discussions with the company . Jepsen’s office refused to discuss the investigation.

As for Blumenthal, he hasn’t finished with Google yet. In fact, the senator may be one of the few officials willing to ask the company hard questions about the scandal.

When news broke that Apple and Google smartphones have the capacity to track users as they move through the country, Democratic Sen. Al Franken of Minnesota convened a May 10 hearing of the Judiciary Committee’s privacy panel to ask both companies about their privacy policies. Blumenthal was at the hearing, and subjected Alan Davidson, Google’s director of public policy for the Americas, to the first serious public grilling about the Wi-Spy affair.

“The company first denied that it was collecting this information, did it not?” Blumenthal asked Davidson, referring to the Google Street View incident.

“It did,” Davidson replied. “We did not believe that we were doing—we did not know that we were.”

“And then it denied that it was collecting it intentionally, is that true?” Blumenthal asked.

“I think we still believe we were not collecting it intentionally,” Davidson said.

Blumenthal then produced a 2008 patent application for the technology used in the Street View cars. He noted that according to the application, the goal of the technology was to download Internet data on unsecured Wi-Fi networks, and darkly suggested that perhaps this was more than a simple blunder.

“The interception and download of this personal data is contemplated in fact by a patent application that’s been submitted by Google to both the U.S. patent office and internationally. Does it not?” the senator asked.

“I’m not specifically familiar with the details of the patent application,” Davidson said.

“I think you’ve been provided with a copy,” Blumenthal replied. “Maybe you could have a look at it.”

After reviewing the document, Davidson reiterated that Google never meant to collect this data and was “honestly embarrassed.” Blumenthal still wasn’t satisfied: “Why would the company then submit a patent application for the process, that very process, that it denies having used?”

“I’m sorry, I can’t speak to the specifics of this patent,” Davidson said. “We were not aware that this was a topic for today’s hearing.”

Google dealt setback in class-action suit

Meanwhile, a number of private attorneys have sued the company in federal court and are seeking to bind the suits into a class action.

It’s a little tricky to determine if their plaintiffs even have standing; they have to establish that Google actually swiped Internet data from their clients, and of course Google has refused to make this information public. But first, they must overcome Google’s motion to dismiss the lawsuits—and the company’s argument has disturbing ramifications for the future of online privacy in America.

Under the Electronic Privacy Communications Act—the 1986 federal law enacted 12 years before Google was born—any electronic communication that is readily accessible by the public is fair game to be intercepted. Radio signals, for example, are exempt from privacy protections. Because unsecured Wi-Fi networks are transmitted by radio, Google’s lawyers argued, the company is legally free to suck up anything their cars happened to drive past.

Just last week, however, U.S. District Judge James Ware in San Jose, Calif., rejected Google’s request to dismiss the class-action lawsuit, allowing the wiretapping allegation to proceed.

“The Court finds that Plaintiffs plead facts sufficient to state a claim for violation of the Wiretap Act. In particular, Plaintiffs plead that Defendant intentionally created, approved of, and installed specially-designed software and technology into its Google Street View vehicles and used this technology to intercept Plaintiffs’ data packets, arguably electronic communications, from Plaintiffs’ personal Wi-Fi networks,” the judge wrote. “Further, Plaintiffs plead that the data packets were transmitted over Wi-Fi networks that were configured such that the packets were not readable by the general public without the use of sophisticated packet sniffer technology.”

Ware’s ruling is also important for users of Wi-Fi networks in airports, coffee shops, and other public areas to check for email.

In 2006, Google made a bid to administer a proposed but ultimately abandoned municipal Wi-Fi network for San Francisco, to turn the entire city, in effect, into one vast hotspot. Under Google’s own arguments, the search engine would have had the right to spy on any San Franciscan using its own network.

Over the years, Google and the federal government have done more and more business together, as the feds farm out government administrative services to the company. Under the Obama administration, the relationship has grown particularly intimate.

Before the 2008 election, Google employees donated more than $800,000 to Obama’s campaign, and Eric Schmidt publicly endorsed the candidate and sat with him on a panel discussing the future of the economy. After the election, Sonal Shah, an official with Google.org, was appointed to the Obama transition team. Shah now serves as the director of the White House Office of Social Innovation and Civic Participation, and Schmidt sits on the President’s Council of Advisors on Science and Technology. In addition, Andrew McLaughlin, who once served as Google’s head of global public policy, was a deputy chief technology officer in the Obama administration until resigning in December.

These ties coincide with a burgeoning Beltway lobbying presence on Google’s part. According to the Center for Responsive Politics, Google spent just $800,000 on lobbying in 2006. But in 2010, that expense had grown to more than $5.1 million. In addition, Google spent $600,000 in 2010 to retain the Podesta Group, the lobbying firm started by John Podesta, who oversaw Obama’s transition team.

In January, Consumer Watchdog released a report that detailed the range of the federal government’s current contracts with Google. The amount of cash the group found is only $40 million, a tiny amount compared to Google’s annual revenue of almost $30 billion. But the contracts give the company a competitive edge in key emerging markets, as well as highlight the deepening relationship between Google and the Obama administration—and the conflicts of interest that could potentially arise.

Last summer, for example, Google secured federal certification for its Apps for Government software, a service that places key government documents and email functions in the cloud computing network operated by Google Apps. A few months later, that certification enabled Google to secure a $6.5 million contract to provide email services for the 15,000 employees of the U.S. General Services Administration.

Google executives have long considered cloud-based applications as one of their main sources of future revenue, and having a federal certification goes a long way toward convincing corporations, small businesses, and state and local governments to let Google run their office software. The federal government’s computer budget alone is worth an estimated $76 billion annually.

In addition, the FCC has begun using Google Analytics to plant cookies in the computers of people who visit their website and track their web habits thereafter. In addition to privacy concerns, the deal raises eyebrows among some critics who contend that the FCC should not be doing business with a company it is investigating.

Google also has long-standing relationships with federal law enforcement and intelligence services, some shrouded in secrecy.

The FBI and the Drug Enforcement Administration both use Google Earth Enterprise software for interdicting drug trafficking and other functions. The Pentagon’s National Geospatial-Intelligence Agency, which supports overseas military operations, has given Google a $27 million contract to provide Google Earth spatial imaging software.

One of the oddest deals has to be Google’s contract with the National Aeronautics and Space Administration.

Google gets to park its fleet of corporate jets at NASA’s Moffett Field—less than three miles down the road from the GooglePlex headquarters in northern California—and in return, NASA collects a premium rent and gets to use the jets to conduct research on global warming. But over the years, NASA has used Google’s planes just once or twice a year, according to a schedule provided by Administration officials.

Finally, there’s Obama’s personal friendship with Schmidt. Building on years of fundraising, endorsements, and private conversations, Obama went out of his way to mention Google as the equal of Thomas Edison in his State of the Union address in late January. A month later, Obama met with Schmidt at a dinner in Woodside, Calif., along with other Silicon Valley titans.

In late January, Schmidt announced that he would be stepping down as Google’s CEO and moving into an emeritus role.

To be sure, Google has hit a few bumps in the road as the company expanded its Washington presence.

After the Google Buzz fiasco, in which the search giant’s Facebook clone compromised the privacy of thousands of Gmail users, the FTC announced that Google had agreed to submit to biennial audits of its privacy policies and acquire its users’ consent before sharing confidential information with third parties such as advertisers.

And in early April, the Justice Department added stiff conditions to its approval of Google’s acquisition of the airline travel search company ITA Software.

According to Consumer Watchdog’s John Simpson, the many intersections between Google and the Obama administration send a signal to federal regulators: don’t push too hard.

“I don’t think Obama has called Justice and said, ‘Go easy on antitrust,’” he says. “But I think the staff at the Justice Department looking at Google’s acquisitions can’t help but notice that when O gave a shout out to companies in his State of the Union Address, one of those companies was Google.”

Chris Thompson writes for iWatch News, a project of the Center for Public Integrity, from where this article is reprinted. Please note: CPI board member Olivia Ma is the news manager for YouTube, which was acquired by Google in 2006.